CIAC J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks
Martin Horneffer
Horneffer at rrz.Uni-Koeln.DE
Fri Nov 19 16:38:04 UTC 1999
With respect to CIAC J-063 / AUSCERT ALERT AL-1999.004
<http://www.ciac.org/ciac/bulletins/j-063.shtml> I just (partly) tried
to implement ACLs as suggested:
acl trusted {
localhost;
...
};
options {
...
allow-query { trusted; };
};
...
zone "Uni-Koeln.DE" {
type master;
file "Uni-Koeln.DE";
allow-query { any; };
};
I immediatly started getting unapproved queries from many hosts that
incorrectly use our machine as their recursive nameserver. While that
doesn't really bother me, I noticed something else.
Queries concerning our zones are correctly let through if the queried
name exists. But when asked for a non-existent name within our domain,
our nameserver now answers "Query refused" instead of "Non-existent
host/domain". E.g.:
linus:~% nslookup foo.uni-koeln.de 134.95.100.209
Server: noc.rrz.Uni-Koeln.DE
Address: 134.95.100.209
*** noc.rrz.Uni-Koeln.DE can't find foo.uni-koeln.de: Query refused
linus:~%
Now that really bothers me! Is this correct behaviour and covered by the
behaviour of recursive nameservers, did I something wrong or is it a
bug? And if it's not a bug: what shall I do with all the syslogs
concerning queries for non-existent names in our domains?
Martin
--
Martin Horneffer -- Horneffer at rrz.uni-koeln.de
More information about the bind-users
mailing list